that hundreds of boys had been separated and warehouse and walmart. i want to find out about it. they decided they did not want to see what was going on. they called the police. the video went viral and all of the sudden all of america was hearing about cages and secret warehousing of migrant children. >> watch book tv every weekend on c-span2. next, representatives from the banking and financial security and consumer protection industries testify about consumers digital identities. this task force on artificial intelligence is 90 minutes.

>> identity fraud is a hugely important problem. today, criminal's have tools at their disposal to get at sensitive consumer financial data. complicated situation and that we get briefings like wheree i just received you go through just how massive the problem is and the techniques that are available. we realize that mentioning them in public is not a wise thing to do. this puts us in a tough situation. and thell of my members committee and their staff to get those briefings from members to our testifying today to see how big a problem this is.

it is costing us a lot more than we think. toolsare large numbers of that people use. these intrusions are only becoming more sophisticated. in the news this week there was synthesizer voice from anke instructions employee who thought it was his boss. that will accelerate as the technology gets more advance. the stakes in this are a enormous.

financial services at the front lines of this attack. it can be used for something to do identity fraud.

it can be bought cheaply off the web. these fake identities look completely real. criminals can use them to open accounts. accounts. the unfortunate common practices of breakout, where you simply have a massive loan and never repay it. you buy a car that you ship offshore. this scam happens using these synthetic identities. of thingsa number that we can do. i was very impressed by the roadmap produced by one of my witnesses here. someone only has time to read one document, that is the one i

personally found the most useful. it provides a roadmap for what government can do to help. i think the government has a ,nique role in provisioning that we ultimately should take responsibility for maintaining a valid list of our citizens. this is one of the reasons why i am very eager to hear more from the witnesses in this hearing. in light of the fact that we are unlikely to have a large amount of time because the votes may be intervening, i think i will just cut off my comments here and turn it over to my colleague. hill: thank you for intervening this task force. i know this is a topic that you particularly care deeply about.

very interested in learning how our identity systems can be modernized in such a way that of the personal information of our citizens. we anticipate a digital world where we are distributing , productsservices digitally through banks and non-banks across the country. mobile app ora through the internet or through the web. this issue of authenticating someone's true identity that you are doing business with and that they in turn are granting you the financial services company access to their information for a particular purpose. all of this relates to how we identify people and how we authenticate people in this space. a lot of people who are banks or financial services are not covered.

issue of how we improve that and offer innovation is very important. really have a completely digital process in 50 states in this country are internationally if you do not have cyber protection. had we authenticate people in a more protective way? more than a username and password.

also the issue of data breaches is critical. the federal government doesn't have any better track record than the private sector. we have been talking about the incompetence of the federal government. obviously this is a key issue. if you are a state actor, that is where the disruption is very

vulnerable. to advances in technologies such as artificial intelligence and machine learning, it is becoming increasingly easy to authenticate individuals and mitigate that kind of fraud. we must be vigilant of policymakers to ensure our sensitive information remains private. i look forward to hearing the witnesses help us understand these issues and what we might that are legislatively or regulatory really to improve this process. i look forward to the discussion. rep. mchenry: what is next? how many breaches will it take before congress takes appropriate action to view cybersecurity as a top priority.

a few months ago we had the world's biggest bank executives right behind -- in front of our panel. they said the biggest threat was cybersecurity. what i appreciate about this panel is that -- and i appreciate the work mr. foster has brought to the table, because we begin with a bipartisan challenge, a challenge that we can seek bipartisan solutions to hear and congress. and new thinking. an innovative approach to this really cumbersome, dom password/ username situation we are already in. a new type of thinking that is occurring in the private sector. to ensure policymakers keep pace with what is happening in the private sector.

thank you so much. today we welcome the testimony of an washington, professor of data policy at nyu. a managing director of venture security. a coordinator of the better identity coalition. the president and founder of risk solutions. and the chief identity officer of security technologies. witnesses are reminded that oral testimony will be limited to five minutes. your full written statements will be made part of the record. this washington, you are recognized for five minutes. >> i'm grateful for this opportunity to speak. professor, ime a spent eight years in financial services. in addition to many years working in support of this

chamber. my name is and washington. why did i give my name? i gave you my name because it is an identifier. digital financial services rest on the ability to guess that you are you. artificial intelligence goes further by taking actions. today i will explain why identity is important. why ai makes mistakes. and what we might do about it. consider a firm with an ai system that works 99% of the time. that is great. but in a business of 10 million people, that means it fails on all hundred thousand people. family who cannot get a home mortgage.

let's not forget that owner face even greater financial risks. much of the data technology today was made for marketing purposes. it is cute. it is a momentary curiosity. a digital mistake is detrimental and it is ongoing. a teacher in maryland had to give up her livelihood. profession that required continual recertification. she probably does not see herself as a new york driver. she is just the information on

this slide. someone else in new york has the exact same name and the exact same birthday. they have no recourse to solve this confusion. a data double is how the scholars call this. that is someone who has the identifiers but is not you. i'm a computer scientist with a degree in business. i think this stuff works. there is little financial incentive to fix these mistakes. mistakes will happen. it is mathematically certain. are the chances that you will meet someone who has the same birthday? it is really high. it only takes 23 people in the same room. probably the members of this committee and staff, there are people who have the same birthday. not as rare ase we perceive them to be.

so what can be done? artificial intelligence identifiers are built for a global audience. i will argue that we need a way to get feedback into identity systems. i want to know how i can improve and make the systems better. this could lead toward procedures for handling errors and exceptions. this is one example of how ai systems need a feedback mechanism. argue that the authority of human experience must balance the authority of data. that's happen. experience matters. each of you has someone in your district office that does casework.

a recognition that institutions sometimes of individuals. what will be the resolution process for identity disputes and artificial intelligence. >> i lead security practices for north america financial services. thank you for the opportunity to speak your today. innovation and digital identity and access management is extremely important to cybersecurity. we live in a digitally connected world.

most of these transactions happen online. key to the mistrust. the information we used to validate our identities is available to dark web forums and social media postings. that makes us more vulnerable. i would like to draw members attention to the slide on the screen that lists five global us.r threats to identity theft is first because it is at the root of every breach.

ultimately gaining access to privileged data and systems. attackers stole $81 million. that was more than three years ago. today we can use ai to enable financial institutions to have more accurate pictures of employee access across a complex

enterprise. managers can make better decisions. leading organizations are leveraging biometrics, ai behavioral-based analytics, and multifactor authentication to make real-time, risk-based authentication decisions. to approve transactions and make limits on them. these new tools are providing secure online identities. we are part of the id 2020 alliant. create digitalo identities in developing

countries so they can competently receive government services that validate their services. allowdigital identities people more security over their data. congress needs to pass a national privacy law. this would build consumer trust. it would enable the private sector to offer more goods and services. congress should help foster an environment for digital innovation. i encourage you to ensure that any new law to advanced digital

identity be tech neutral and an operable with other sectors. is much work to be done to build. i want to thank you again for the opportunity to discuss the issues and i look forward to your questions. thank you for the opportunity to testify today. i am perhaps that she or about half of the better identity coalition. at 22 members are united by common recognition that the way we handle identity in the u.s. is broken.

and a common desire to take steps to make identity systems work better. i am grateful to this task force for calling me here today. the way we have identified -- handle identity in america impacts our liberty. , as an economic standpoint we move to high-value transactions and the digital world, identity can be the great enabler. cyber attacks are executed by taking advantage of week or stolen passwords. we have seen adversaries seek to steal massive datasets so they can have an easier time compromising the questions used in identity verification.

attackers have caught up with many of the first generation tools that we have been using. there is a of reasons for this. the most important question is, what to government and industry do about it now that is a key point. if there is one message this task force should take away, it is that industry has said they cannot solve this alone. we are at a juncture where the government will have to step up and play a bigger role to address these smaller abilities. last year, the better identity coalition put out a blueprint for the government. when talking about the future will of the social security number, it is essential to understand its role as an identifier.

and it's use as an authenticator, which is used to prove i'm really me. be used as no longer authenticator's. we stop pretending the numbers are secret or that the knowledge of one can be used to prove someone is who they claim to be. that doesn't mean we need to replace them as identifiers. that treatsa system them like the widely available number that they are. i have yet to see any replacement proposal. on the authentication topic, there is good news. have-stakeholder efforts developed standards for next-generation authentication that are being embedded in most devices, operating systems, and browsers in ways that enhance security. the password list era is near.

government will need to take a more active role in delivering next-generation idea solutions. we are not recommending that a national database be recognized. our challenge is the identity gap. all of these systems are stuck in the paper world while commerce is moving online. modernizes, we should around the consumer model that allows the consumer to ask the government issue to stand beyond in the online world by validating the information from that credential. in the online world by validating the information from that credential. it is about producing a new paradigm. she provides basic identity information but since she is not there in person, the bank does not really know if it is her or if she is a real person.

she will ask someone who knows her to prove that she is who she claims to be. because the app was issued to her phone at the time when she got a drivers license, there is now a train of -- chain of trust in place. the bank can set up a secure connection. concept was embraced in the 2016 report from the bipartisan commission on enhancing cybersecurity. i appreciate the opportunity to testify today. i have submitted lengthier testimony for the record. thank you for the opportunity

to provide before you. -- appear before you. i am the founder and president of turnkey solutions. i spent 20 years in the financial services sector at a large institution. i was at j.p. morgan chase, where i was responsible for establishing business practices around proactive identification of fraud threats that included credit bust outs, identity manipulation, and credit abuse. as we consider how to use artificial intelligence, it is important that we clarify our target by gaining a more comprehensive target of what synthetic identities are. for the purposes of my discussion, a synthetic identity and its basic form is a social

security security number, a name, a date of birth. creating one is materially different than traditional identity theft. in cases of traditional identity theft, impersonating a person. in cases of synthetic identity, the criminal is using a limited amount of elements of a person's identity, for example just their social security number, and a pair that for a name, date of birth, and address they control and create a distinct persona. they do not want to co-mingle with an existing person. once that synthetic is created, you can use that for pretty much anything. banking service, social media, insurance, rent an apartment, enroll in benefits programs. you can basically use it for any purpose the creator intended.

technology plays a huge role. advances in tech reggie create speed and convenience but also anonymity -- advances in technology create speed and convenience but also anonymity for the fraudsters. awareness consumers are a lot more educated on understanding the important of their credit, the different ways to protect identifiers, stay away from compromising their information. that information has been put out to protect consumers but also used by organized criminals to design their attacks specifically to exploit those types of evidence. regulations have done a lot to protect identity theft victims and to be able to make sure they have ways to remediate when they have been victimized. we have seen those same leverageds exploited,

, and abused by criminals. we want to erase and eradicate thief,g with identity havehe same protections been leveraged by them. that information wasn't as useful as it had been in the past, so they started to move to names,atic information, social security numbers, date of birth. this broad threat was specifically engineered to invade existing controls while avoiding vulnerabilities. many groups creating this type of fraud are highly organized, to beticated, and intend transnational in nature. industry, we need to be

more effective in adaptation of evolving technologies. as we seek to deliver unprecedented speed and convenience, we must remain vigilant in understanding the threats to our interests and infrastructure. synthetic identity fraud in the u.s. and around the world is widespread. it is being amplifies by increased digitalization of products and processes. alld operates across delivery channels, providing the perpetrators with unfettered access, making it essential that we act in a unified collaborative enter. we must recognize the complexity benext-generation fraud and informed of the severity and scope. negation efforts from industry to make sure --

must be fluid and nimble to make sure we can address these. it needs to be universally defined in order for institutions to detect, report, and remediated. i appreciate your opportunity and look forward to any questions. >> chairman, ranking member, and all members of the committed -- the committee, thank you. i am the chief identity officer at security to elegies and i look forward to sharing experiences and sharing a database and network that works across the economy. secure key is a world leader in providing technology solutions to enable citizens to access services. we focus on the public, private sectors.

governments and other organizations have strong incentives to realize cost savings and increased integrity. an organization's ability to do this hinges on a single question. can i trust the person or digital identity at the other end of this transaction. identity is broken in problematic for citizens and businesses. mix of measures to mitigate risk, but dilutions tend to be complex and not fully effective. site, -- the other side, citizens are asked to to do a number of methods to onboard the security needs of services. three stories every about online impersonators. fraudsters are correcting -- are

collecting information to know as much if not more than the system there impersonating. biometric methods, which have been presented as a digital solution to digital fraud, have been targeted by hackers. you can't change your biometrics. our collection of systems are too hard for a consumer to use. it is not solving the problem and it is too expensive to be sustained. consider the ceos of facebook and twitter. each know how the system works, understand identity best haveices, and even they trouble controlling fraudulent access to their digital identities. of dorsey became the victim fraud.

if they can't manage and be protected in the current digital landscape, our the rest of us supposed amended -- how are the rest of us supposed to manage? it needs to be said that there is no organization on the planet that can solve digital identity on its own. it takes a village. each player playing to its strengths and creating trust. the model of the public-private partnership between government institutions, and other providers. governments are the foundational issuers of identity documents in the form of birth registries and immigration documents. they also link to a living person. adeptvernments aren't as as the commercial sector at knowing the person at the end of a digital transaction. the irs has a file and everyone

in this room but they will be hard-pressed to point us out in a crowd. that is why they use kba. according to -- compared to other organizations, citizens only rarely interact with government in their daily lives. they will log into their bank account several times per week. this increases the integrity and transactions for banks. our mobile devices are always within reach. carriers have security features which are important and tied to subscriber accounts. services built on open standards. verify me was developed in cooperation with seven major financial institutions in canada. it takes a digital approach to solve identity problems with greater simplicity, higher integrity, better privacy. the information -- we have helped to solve the digital identity problem in canada and developed a model that works

around the world. the u.s. department of homeland security and the digital and identity council of canada. thank you for the opportunity to share my comments today. >> i will now recognize myself for five minutes for questions. one thing that impressed me in your testimony was the bipartisan nature of support for this. you are very involved in the obama administration's initiative on secure online id. it appears that omb and the current administration is strengthening those initiatives. you say what government involvement is in strengthening identities online? spentyou mentioned, i several years in government.

although i was a civil servant while i was there and stationed up the road where i served as senior advisor for identity management. this has never been a partisan issue as you point out. much of what the program was focused on was how to basically catalyze a marketplace. the idea, the government's role should be limited, but government should play a role where there are a lot of gaps to fill. looking to carve out an appropriate role for the government in terms of one where there is not too much of a role for the government. in may, the office of management and budget signed memorandum 19-17 into effect, updating a lot of the government's

cybersecurity policy. we were excited to see that they took one of our key recommendations, basically: for industries to create privacy woulded apis, which validate -- which would have consumers validate information about themselves i think now that that is in place, there is a good policy foundation to governmentto bring to play this role. >> you both touch on in your testimony defect and lack -- the lack the fact of of being able to protect yourself, those who are not wealthy. some of the biggest improvements having a way to authenticate

yourself. i wonder if you could offer a little bit about why this is. >> it is interesting that if you at some of the things that said, whetherdic banked or un-banked have cell phones. we could establish confidence by having a national privacy law, i way toould go a long engender trust. also being able to use the rule that is in their hand to be able to validate so -- able to validate themselves.

>> ms. washington, do you have anything to add? ms. washington: i would say, right now, without a standard procedure, people who feel less powerless in society will how toy not figure out dispute it. rep. foster: there is probably also a tendency for wealthy people to have more established financial transaction records to be used in a secondary way to make sure the person is real and so on. add?u have anything to take into we have to consideration, for all the things we are putting in place to protect consumers, there are much easier ways to go back and negotiate the system.

all of the controls we are putting on for artificial intelligence, you have to understand who this person is. we need to go further up the chain and make sure that identity is actually factual first. we need to get to the root of the issue instead of just addressing in some cases the symptoms. we would get much more collaborative between industry and government. we need to reshape the issue and look at it from a different lens. rep. foster: thank you. mr. hill is recognized for five minutes. ask hill: i would like to that something gets submitted for the record. one industry that -- one thing that has been concerning for our title industries across the country have been email fraud.

letter like to submit a from chairman powell as well as the response he had on this issue. >> without objection. rep. hill: this has been a really good panel. we are trying to correct the world we live in and prepare for of the future, and we can't do it without a privacy standard. i think all of you gave great pleased tod i was hear talk about omb issues. anddangers of data scraping for is not practice accessing customer data. will the policy that in the

and it is aector good standard for the private to adopt? >> i think it will help to contribute to some of the challenges we have seen in open banking. i have been really impressed by the work of the financial data exchange, a group that was what doesin cybersecurity work. they brought together banks and firms to come to -- to come up with a standard api that will allow a consumer to decide to essentially securely grant certain access rights to some of their financial data. because their identity is that core control, if we were able to enhance some of the ways we do

thinkty verification, i we will have robust solutions across the board. i think --rep. hill: i think that is very helpful. this issue of synthetic identity, could you explain that . are you saying people are not imitating the exact person, individual,ew creating -- using all validated information. ms. walraven: similar. they can use real information, let's say a social security number. they will take that, at a name that is different, add a date of birth. they would probably make it closer to what is likely for

them. address put it at an they can control. from there, they create separate and distinct identity. it is not real per se, as far as identity, but it functions, especially in a digital and paperless era, exactly as a real identity. they know their mother's maiden name, the userid and password, the security questions, because they created them. afterwards, you are not going to catch them in the existing infrastructure we have because those credentials are known to them. grant, i read recently about the beginning of the implementation of the california statute. for the 4.5 years i've been in congress, we have debated

privacy and witnessed the battle between retailers and the financial services industry, which grows tiresome on this committee, and the desire to have a 50 state solution. now, california has acted. ccpa a net positive for the consumer? the approach they took. ccpa, writi think large, we will have to see how it goes. there have been a couple of things on the identity side i have been concerned about. it took kind of an ambiguous approach about whether you can use data for fraud prevention. in europe, i thought they did a good job saying, if you are using data for marketing purposes, all these rules apply. data, that ising

for security and fraud prevention only, that is ok. a california, they took little bit of a different approach. part of it i think was the law was written in about a week. i think they were trying to head off a ballot initiative. it says a consumer cannot go to a company that is doing security and fraud prevention and ask the data could be deleted. but they stop short of saying you could go to a company and opt out of that being used at all. and% of people to companies tell them to turn off the security analytics controls, some of the best tools this year willols we have today, it put consumers and businesses at risk. gentleman from north

carolina, breaking member mr. mchenry is recognized. rep. mchenry: informative panel. i think this is quite constructive for what has been a rather tiresome debate between retailers and banks on who holds the bag without talking about progress or fixing the problem. they want congress to intervene and make the decision on who gets sued. let's get beyond that, to the solutions. i would like to hear the story of what your company is doing in andda to verify identity, the undertaking you and your company have had. twohere have been generations of services we launched in canada. one was in 2012. it was designed to be a safe andacement for user id's

four. when i went to our tax authority, i -- id's and password. when i went to the tax authority, i forgot my password. they had to send mail to my house. i solved the problem a different way, they sent me this thing two weeks later, and the next year i do the same thing. that cost me $40 a shot. they spend millions of dollars identifying 5,000,080 and. -- 5 million canadians. their costs have come down. canadians are now able to use their bank account to get to government. the reason this works better is because canadians are in their bank account every week so they are not going to forget the password. more importantly, if they can't get in, they are on devcon five, they will run down to the bank right now.

servicelenge with that is authentication only. it didn't solve the identity problem. in may of this year, with all the major banks and several other trusted partners, we launched identity service, which allows me to prove my identity based on banks, telephone data. i authenticate with those providers myself and under my control i can give that to someone else when i want to sign up for a new service. it takes costs down and gives better results. rep. mchenry: verify me. block chain technology, walk us through that. >> we came at it from a different point of view. if any organization is consuming data from a network, they have three requirements. requirement number one, they want to know the data came from an authoritative source, like a government issued id.

the second requirement, they want to know the data has not been altered. take my drivers license, all my data, and stick their photo on it. they want to make sure the data belongs to the person presenting it. why block chain? block chain test three specific things. it allowed us to implement triple blind privacy. in canada, when i use my bank account to get to the government comedy bank doesn't see my online destination. the government knows i came from a tier one bank in canada but not which one. triple blind privacy says, not the bank, not the government has a complete picture of the user journey. when we try to do that with identity, with us in the middle, we were going to see a lot. we wanted a way to do triple blind identity. so i can send my money from wells fargo to the irs without

either knowing. it allows a sticky -- to meet the integrity challenge. the side benefit is we get resiliency because it is hard to mount a denial of service attack. rep. mchenry: broadly, the block chain cryptography is a leap forward in order to ensure that you can have that movement of data. here's a different question. is there a different cultural assumption between folks in the united states and folks included about their digital identity and willingness to share that data? >> i think the stance is very similar. i would say the privacy regulations are very similar. they have recourse, if something negative happens, they have somewhere to go to get it sorted.

rep. mchenry: let's get at it. patter, let's get at her. highly informative. i have three hours more questions but every one of you are top-notch. >> the gentleman from georgia is recognized. >> thank you, mr. chairman. thank you to all of you on the panel. fromis intriguing coming an i.t. background. cybereen dealing with issues since my time in the air force, dealing with intelligence throughl the way up even protecting businesses and school systems with internet access. it through even protecting is an ongoing c. transactions that happen especially in the financial services sector, verification has to be done at the same

speed. i like using cash. i like reading a printed book. store andng to a putting my hands on what i'm going to buy. i am unique in the world today, i found out. the younger you are, the more you are relying on the technology. we have to be exploring these areas. i would like to submit for the record a letter from the consumer first coalition ofressing concerns congressional oversight over the social security verification system as they move forward. >> without objection, so ordered. washington brought up an interesting scenario. i have one that i found quite unique.

i was taking a group to the white house. if you have ever visited the white house, they have quite a verification system if there is one thing wrong, you will get pulled out and put in the holding area. one young lady, early 30's, was put in the holding area. she said, this happens all the time. identical twin sister. she wasidn't realize going to have twins and had already chosen the name, so she gave us both the exact same name. it was elizabeth grace smith. one was called liz, the other called grace. they have the same birthdate, the same birth location, the same height, weight. what triggered the secret service was their social security numbers were off by one

digit. this is an illustration of the type of thing we are going to encounter. we have got to find a path to get there. i am big on innovation, big on sandboxes so we can explore ways to do this but it has to be done it took us a while to adopt the chip payment system. traveling in europe, they had it a long time before we were able to adopted here. it has reduced the counterfeit fraud by 87%. the bad players come the criminals now focus on digital payments. that involves digital identities. solutions. cybersecurity solutions. we need to combat these digital payment frogs. are we heading in the right

are we heading in the right direction? do we have the sandbox available to develop these? >> that's a question. i remember when i was back working at the offices of the control of the currency. when the deadline was approaching for chip and pin and the conversations -- we have to appear before conference at that time as well. i remember distinctly having this conversation about what it would do and what it would not do. as we've seen overseas, the card not present fraud is through the roof. bad guys know. all these online transactions are card not present. that means they are missing that authentication aspect. being present with that chip and pin. while it was a step in the right direction, and it was just a layer, the fact that most of our transactions are increasingly online and need to happen at the speed that we've discussed, we

need to create an environment that fosters innovation. that figures out a way to improve the state of ids that creates that more trust that we've talked about here. do it in a way where people can protect all consumers and everyone can get bought into the system. jeremywhy my colleague and this roundtable i mentioned earlier, they have a lot of alignment around what needs to be done to create that transparency for consumers with privacy. ecosystem totter enable them for online transactions. >> i have tons of questions. this is intriguing. i marty out of time. i will submit the others for the record.

>> the gentleman from ohio is recognized for five minutes. panel, foru for the your outstanding testimonies and participation today. it has been a great setting so far. i want to drill down on some of mr. mchenry's questions about block change specifically. we will spend some time there if you don't mind. as you were innovating in the space, what legal impediments existed in canada that prevented you from developing on the block chain and what has had to change? walk me through what it was like as you were innovating and how you got there. >> sure. one of the biggest challenges is , when you look at the economy,

the most rigorous process we go through as consumers is when we go to a bank. they have ky see. hasanada, our organization a set of interpretation bulletins that they use to interpret the legislation to say what banks can and cannot do. when we started this process, it didn't include digital methods. it took a long time to talk about the event changes of doing digital methods. one of the things we were able to convince the regulators is what we were doing with our services was getting card presence identity. when i take my drivers license to the counter, the bank is defenseless against that attack. they can't check against the issuers. with our service, all the data is checked in real-time. that is getting the regulators to understand. this is better than what we can do in person. this is more powerful. >> was that a regulatory or legislative fix? >> the interpretation bulletins

were updated to include digital methods. >> legislatively? >> yes. u.s.,you look at the where you see similar holes where we should be legislating to enable the technology? .> canada had an advantage we have a small set of banks and provinces. we could get everybody in the room. economic construction here is different. you have 3000 banks and 50 states. you have a small set of tellico's. this could be applied to the u.s. follow. -- model. there's a lot of work to launch a similar service to the one we have in canada. that's down the track. more week needs to be done. there will be similar challenges where the regulatory will have to support it. >> do you have any specifics in mind?

>> yeah. as follow-up it testimony. you can review that after. >> that would be fantastic. membershiplf of our is fin tech. one of the things we called for was the treasury and regulators to do more here. they have been receptive to discussions with us. if you are seeing a barrier, please let us know. marshall billingsley is assistant secretary in the office of financing. they want to do a text print working with industry to help bring regulators and -- together. i continue to ask my members every month, are we running into things precluding innovation? is,biggest answer we get there's a regulation with

ambiguity and the compliance people have their freak out. it's hard to move forward. i'm bullish there. where we need more effort, we talked about the omb memo. that's a nice start. policy members come out all the time and get ignored. we need more of a formal governmentwide initiative convened by the white house to look at how to bring agencies out how too figure take this to the next. my oldes to be done at agency. a framework of standards to help agencies could benefit from a center of excellence in government as well that could actually help. the social security ministration is developing that service. getting other agencies to do that needs technical help. these are little steps around the edges that can make a big difference to helping this problem. >> thank you. thanks to everybody for the time and energy on this. we will follow up.

i yield back. virginiantleman from is recognized for five minutes. >> thank you. i would like 60 minutes to question the panel please. it's good to be here. birthday.about my birth they as march 17. st. patrick's day. look at that. no one. my goodness. i want to give my background really quickly because i'm excited about this stuff. i was in military intelligence about 26 years. tracking people and finding their identities without them volunteering their innovation -- information. it is the bridge between technology and operations and how this would happen. my questions might be more esoteric and fun, i hope. i have about 50 questions i'd written down. i'm going to try to go quickly.

i've always had too many to go quickly. i want to start here with the bottom line upfront and i will go backwards with technology. it does sound like the use of a i will be a critical part of ensuring security and digital identity. should we be concerned that this kind of technology could be cost prohibitive? is that something we have to worry about? >> anytime you deal with innovation, smaller companies in the world are really creative and they partner with eccentric to make that possible, to make them scale. i think we need to find ways to help smaller companies actually be able to leverage some of these capabilities that you are pointing out. i would commend the ranking members effort in his own district in little rock to

create an innovation hub where community institutions can actually learn how to take advantage of these things. the other way to help them scale to the benefit of smaller is to actually help them do that through the partnerships with their third parties. their large-scale technology service providers. >> that's why i get excited. we are creating our uke -- unique identifiers. forward, do you see rejectingmpanies individual or business transactions with other entities based on insufficient authentication of identity? when i look at how people are going back and forth and utilizing their own signatures, are we going to get to a point where you see private companies

actually creating their own unique id set of criteria? thatu see them ensuring and rejecting those companies? i listened to what mr. grant has been doing in canada. our company's going to be judged based on their criteria for how they protect identity and other companies rejecting that identity based on new ids? do you see that happening in the future? >> one of the things we have been trying to do in the u.s. has been looking at whether we could have certification programs for private issuers of identity. i talked about the role of government. my bank knows me. that's the foundation of what is happening in canada. amy have to figure out who i before they open an account. could they then vouch for other places? could i log in with my bank somewhere? there are certification programs in place today from organizations.

this has been recognized by the general services administration to certify the way that a private sector entity issues and identity. aboutforward, i talked the concept of an identity ecosystem. be able to create some hybrid solutions that could really bring in the best innovations the private sector could deliver with access to a sort of give -- authoritative accesses the government has. can give people something that's portable that they can use everyplace that they go. >> you are in my head. if we are creating this identity token, we are dealing with unstructured data. we are dealing with new things like natural liquid processing. is there a time where we will be able to customize our token where the only way we can find our identity is the stuff that

we actually customize with that information? we own our identity by customizing our own information? >> there's a lot of focus on how you can allow people to only reveal certain things about themselves without revealing everything. there are great models in place these days they'll give people very granular choice for what they share about themselves online. when we talk about the privacy debate in this country, so much is tied to identity. what information is collected on me? strong tool that you can use to manage that and go back and revoke certain things is going to be a key enabler. >> thank you so much. i apologize for how quick that was. you guys are fantastic. >> thank you. the ranking member and i will each have an additional five minutes for questions and closing. i would like to recognize mr. hill. thank you.

i think you heard a good discussion and the panel has been very appreciated. i want to go back to finish our conversation about the california proposed statute. we may broaden that to the panel lawell to compare a rush set of parameters with the more thoughtful approach the eu took it have a compare and contrast. the wall street journal last week reported that private businesses could face a half $1 billion compliance burden trying to comply with the california law. talk about that. finish your thought. i think you returned to make on -- it was rushed. you have some concerns you outlined >> the point i was

making with california, there has been some proposals to try to clarify that. >> this is the information to be used for fraud investigation. >> the backdrop on this is that identity analytic solutions, many that are using ai, are one of the most powerful tools we have today to actually prevent fraud. to give you a number, microsoft started talking about this publicly. they manage billions of logins a day. two years ago, they were seeking 10 million attacks per day. when you go, they were seeking 100 million attacks per day. this year, 300 million attacks per day. that's a 30 times increase in two years. the way they are actually combating this is with databased analytics systems. some might be collecting things like personal data. so long as you have a carveout that says, that's ok if you are

worried about security and fraud protection. you can't take that data and use it someplace else. the european banking authority is actually actively promoting the use of what they call transaction risk analysis to secure payments. i think the concern here is if it's more ambiguous or if we are considering federal privacy legislation that doesn't say it as clearly, the 2% of people calling up microsoft to give examples and say, don't use those systems. turn that off. what are they supposed to do at a time when attacks might go up another 10 times next year? that's my concern. >> you mentioned open banking in the u.k.. canada as well. is anybody else adding to that, on california? on the privacy directives in europe and what you have done in canada. has europe and the u.k. solved this password authentication

process in order to make open baking a safe activity? >> [is a singular term. the way it manifests in each country has been different. some countries have it compulsory. in others, it's optional. in some places they include the ability to do push payments. it's not a uniform application of how it works. of open banking is that it will cause asset dripping. the banks are forced to open up their apis and give us the data at no cost. the consumer is going to give this to some new startup that doesn't have the same controls as the bank does. then the consumer is going to come back to the bank and say, how did you let this happen? what we should give away is trusted data so consumers can give it away granular.

that's the approach we are looking at in canada. in australia they took the approach that is reciprocal. if you will participate in open banking, you also have to agree to advance to share data back with the network. that solved the asset stripping issue. i'm interested in what we abouto do regulatory late how we handle this requirement of an api approach. a discrete approach instead of just allowing scraping. i hear from startup entrepreneurs, you are disturbing the customer experience. i would argue customers experience is getting messed up when everything is stolen from them. that's not a good idea. that is something specific regulatory's can do? >> you can't do open baking with

open digital infrastructure. this is the problem. i'm a consumer. you are the bank that's trying to represent me. jeremy is the start up that once my data. how is jeremy supposed to present to you that he has my permission to get my data? you have this three-way triangle of authentication trying to go on. the consumers never going to get it. the only way to follow this is allowing consumers to have digital identity infrastructure. >> i yield to you. >> thank you. the business of this three-way conversation is fascinating. i think there are technological solutions with a properly designed app on yourself on. the future of this is not an identity dongle but perhaps not advanced cell phone. keysn store the private and is resistant even against having yourself a completely hacked.

maybe it would capture the screen and see password being transmitted. you cannot actually still from the secure enclave in these. that's a tremendous advantage of that approach. you can still have this three-way conversation under the control of properly designed apps. i think there has been great progress. it relates to the use of block chain. advantages isat that it provides a non-falsifiable ledger. is there a solution to developing a witness protection program which is government sponsored synthetic identity fraud? is that something that people have thought about and come up with solutions to? >> i don't have a great answer. one of the challenges of that, what we are getting with these records, you can't go back in time and insert a person for the purposes of witness protection. it's difficult to do.

you will have to find some other method to bring that identity long. >> if it's a publicly visible block chain -- >> ours is not. going back and altering records in the past is hard. with the government could do is have a set of identities on standby to use for the future so they have the longevity that would be required. that has its own pitfalls. >> it has to have all sorts of secondary verifications. you should put that on your to do list when we come up with a perfect example here. it also seems to me that to come up with the ultimate solution here, there has to be a role of government. at some point in your life, you have to go and authenticate yourself and be uniquely identified using biometrics. at that point, you can be issued a security dongle or the cell phone equivalent. you can use that for many

purposes in very streamlined transactions. alternative logical than having every citizen who wants this to be able to identify themselves, knowing there is not synthetic identity fraud or other people using their credentials. any alternative to have them presenting themselves in front of a trusted government authority? some payment learn systems we try to do identity. a data breach has the same identity as new money. comparing identity to money, there's a lot of things they can learn. when you look at the global payments system, 6 billion cards in circulation who have never been copper lies. bankan have your favorite and i can have my favorite bank and we can go to any merchant on the planet with any prior relationship. portly, when we lose the car, we call the bank right away because we are terrified to be responsible. that integrity is what makes the process work. these things make the global

system work. we made it super simple for the consumer and we hid the complexity of waste they don't have to understand everything. we have a trusted network operator. you have to apply to get in the network and you have to be able to stay in the network. thingird most important is user behavior. i look at my wallet and see my card is gone. i will be on devcon five. i'm terrified i will be responsible. this system is not perfect. syntactic identity fraud can still permeate such a system. >> that's when it comes down to understanding, knowing your real customer. we do have controls in place that are supposed to do that. we all assume that banks know who their customers are. i know they are all coming from

the banking industry. everybody is trying not. synthetics are prolific as they are, they are is widespread. they are growing in a force multiplier. they don't actually know their customers. i feel like if you have an issue that is not at the root and you compound on top of that, you just make the issue later worse. even at this false trust. it doesn't allow you to be able to contend with those types of individuals. that goes exactly what they are looking for. they don't want to send that money red flag. they don't want to get caught. they want to be able to continue to navigate through the system. they are currently navigating pretty well unfettered. they give the example that gave of the identical twins with identical names. they differ only in their fingerprints. at some point in their lives, it seems like they have to present organization,some

almost certainly a government, who has to go and look and de-dupe all the people who cling to have that name. alternativee's no to very advanced biometrics of some kind. this can be an optional system. if you're going to provide citizens who want one with a secure means of authenticating themselves, you have to have this moment in their lives. biometrics can play a role. i worry about saying they are the solution. i tend to get nervous when we talk about creating new central databases of biometrics. if there is one thing we've learned, we are not really good at protecting them. top-secret clearance. all that information and images of my fingerprints are now in china. at least two thirds of this room probably has the same thing,

understanding who is here today. awould never want to use centrally matched fingerprint system online where they didn't know i was there to protect anything of value. anationstate can spoof fingerprint based off of those images. there are helpful tools. the dmv's are using face recognition for_doo-doo thing. for de-doofing. it is not perfect. they could toss it to a fraud investigator. leveraging that process is important. the oneer's license is thing that most americans get in their lifetimes were they have a robust in person identity proofing process. it's really valuable. we think people should be able to reuse it. only 87% of adults have a drivers license.

it's harder than ever to get one thanks to things like the real id act from 2005 which had good security reasons. the flipside is, if you are on the margins of society, say you have been homeless, say you have been evicted, it's really hard for people to restart their identity lives again. they are just lacking what they used to have. in d.c., there's a couple people. that work with >> i will have to gavel myself. votes have been called. without objection, i would like the report from the better identity coalition to be included in the record. so argued. i want to think the witnesses for their testimony.

is at the root of so many problems that we have. members will have five legislative days to submit additional wit -- questions. i ask our witnesses to please respond is probably as you're able. thank you again. task force is adjourned.

[inaudible] a>> next friday, president trump

and melania trump host australia prime minister scott morrison at the white house. it's the president's second state dinner since taking office. will show you the guest arrivals as well as the dinner toasts. our live coverage starts at 6:30 p.m. eastern on c-span. listen with the free c-span radio app. saturday on book tv at 11:00 eastern, some record associate justice neil gorsuch discusses his book. >> madison knew this when he wrote the constitution. those are just promises.

a bill't think we needed of rights if we got the constitution and the structure right. he knew that men are not angels. and that the key to your liberty is keeping power separated. >> on sunday at 9:00 on afterwards, in his latest book, journalist ben westhoff reports on how labs in china menu -- manufacture the drug. he's in a viewed by ann mclane kuster. >> if you are a scientist at university, you publish a paper, it went into some university library. pretty of skier. hard to find. theseernet age, all of papers were published online. >> and publicly available. >> exactly. so these rogue chemists began

looking for these files specifically for these papers to go through them and appropriate the chemical formulas to learn how to make these new drugs. >> at 10:00 eastern, jeff merkley provides his first-hand account of conditions for my get -- migrant families at the u.s. southern border. >> advocates said that hundreds of boys who have been separated were being warehouse in a walmart. i went to find out about it. they decided they didn't want me to see what was going on. policestead called the and the video went viral. suddenly all of america was hearing about cages and secret warehousing of migrant children. >> watch book tv every weekend on c-span2. >> saturday at 6:00 eastern, on the civil war, the 1863 tomahawk

cancan -- campaign. >> everybody concentrating on tullahoma. after they leave the highland rim at this point, somewhat anti-climactic. bragg is ready to fight it out in the trances. >> emory university professor deborah would step on her 1996 lawsuit against holocaust and i are david irving. -- denier david irving. million, nono 6 leadership from the bar, bachelor. this is all made up. >> at 5:00 eastern, a discussion about shakespeare's influence on u.s. politics. 6:00, the norman rockwell museum traveling exhibit on fdr and the four freedoms.

explore our nations passed on american history tv. every weekend. c-span3. next, house republican leaders talk about the party's priorities heading into next years elections. house gop members are meeting in baltimore for their annual party retreat. during this news conference, they were also asked about last night's debate with democratic presidential candidates. >> good morning. thanks for being here.